support private share modes

2024-11-21 15:43:22 +01:00 · 2024-06-25 15:40:28 -04:00 · 2024-06-25 15:40:28 -04:00 · ae1cce618d
commit ae1cce618d
parent 007701ad0b
6 changed files with 74 additions and 4 deletions
--- a/.goreleaser-linux-arm64.yml
+++ b/.goreleaser-linux-arm64.yml
@ -112,6 +112,9 @@ nfpms:
      - dst: /lib/systemd/system/
        src: ./nfpm/zrok-share.service

+      - dst: /etc/systemd/system/zrok-share.service.d/override.conf
+        src: ./nfpm/zrok-share.service.override.conf
+
      - dst: /opt/openziti/etc/zrok
        type: dir
        file_info:
--- a/.goreleaser-linux-armhf.yml
+++ b/.goreleaser-linux-armhf.yml
@ -112,6 +112,9 @@ nfpms:
      - dst: /lib/systemd/system/
        src: ./nfpm/zrok-share.service

+      - dst: /etc/systemd/system/zrok-share.service.d/override.conf
+        src: ./nfpm/zrok-share.service.override.conf
+
      - dst: /opt/openziti/etc/zrok
        type: dir
        file_info:
--- a/.goreleaser-linux.yml
+++ b/.goreleaser-linux.yml
@ -108,6 +108,9 @@ nfpms:
      - dst: /lib/systemd/system/
        src: ./nfpm/zrok-share.service

+      - dst: /etc/systemd/system/zrok-share.service.d/override.conf
+        src: ./nfpm/zrok-share.service.override.conf
+
      - dst: /opt/openziti/etc/zrok
        type: dir
        file_info:
--- a/nfpm/zrok-share.bash
+++ b/nfpm/zrok-share.bash
@ -55,7 +55,7 @@ fi
 }

 # default mode is 'reserved-public', override modes are reserved-private, temp-public, temp-private.
-: "${ZROK_FRONTEND_MODE:-reserved-public}"
+: "${ZROK_FRONTEND_MODE:=reserved-public}"
 if [[ "${ZROK_FRONTEND_MODE:-}" == temp-public ]]; then
  ZROK_CMD="share public --headless ${ZROK_VERBOSE:-}"
 elif [[ "${ZROK_FRONTEND_MODE:-}" == temp-private ]]; then
@ -121,13 +121,41 @@ case "${ZROK_BACKEND_MODE}" in
      echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}"
    fi
    ;;
+  tcpTunnel|udpTunnel|socks|vpn)
+    if ! [[ "${ZROK_FRONTEND_MODE}" =~ -private$ ]]; then
+      echo "ERROR: ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}' is a private share backend mode and cannot be used with ZROK_FRONTEND_MODE='${ZROK_FRONTEND_MODE}'" >&2
+      exit 1
+    else
+      case "${ZROK_BACKEND_MODE}" in
+        tcpTunnel|udpTunnel)
+          echo "INFO: ${ZROK_BACKEND_MODE} backend mode has target '${ZROK_TARGET}'"
+          ;;
+        vpn)
+          if [[ -n "${ZROK_TARGET}" ]]; then
+            ZROK_SVC_FILE=/etc/systemd/system/zrok-share.service.d/override.conf
+            if ! grep -qE '^AmbientCapabilities=CAP_NET_ADMIN' "${ZROK_SVC_FILE}"; then
+              echo "ERROR: you must uncomment 'AmbientCapabilities=CAP_NET_ADMIN' in '${ZROK_SVC_FILE}'"\
+                    "and run 'systemctl daemon-reload' to enable VPN mode" >&2
+              exit 1
+            fi
+          fi
+          ;;
+        socks)
+          if [[ -n "${ZROK_TARGET}" ]]; then
+            echo "WARNING: ZROK_TARGET='${ZROK_TARGET}' is ignored with ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}'" >&2
+            unset ZROK_TARGET
+          fi
+          ;;
+      esac
+    fi
+    ;;
  *)
    echo "WARNING: ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}' is not a recognized mode for a zrok public share."\
          " ZROK_TARGET value will not validated before running." >&2
    ;;
 esac

-[[ -n "${ZROK_UNIQUE_NAME:-}" ]] && {
+[[ "${ZROK_FRONTEND_MODE:-}" =~ ^reserved- && -n "${ZROK_UNIQUE_NAME:-}" ]] && {
  ZROK_CMD+=" --unique-name ${ZROK_UNIQUE_NAME}"
 }

--- a/nfpm/zrok-share.env
+++ b/nfpm/zrok-share.env
@ -21,13 +21,17 @@ ZROK_ENVIRONMENT_NAME=""
 #ZROK_API_ENDPOINT="https://api.zrok.io"

 #
-## ZROK BACKEND TARGET
+## ZROK BACKEND MODE AND TARGET
 #
 # You MUST define the backend target and mode. The frontend URL will be provisioned when the service starts. You MAY
 # change ZROK_TARGET and frontend URL will remain the same after a restart as long as the backend mode and frontend
 # authentication options are the same. Options that require provisioning a new frontend URL when changed are marked with
 # WARNING. You may delete /var/lib/zrok-share/.zrok/reserved.json and restart the service to provision a new frontend URL.
+
 #
+## BACKEND MODES THAT WORK WITH PUBLIC OR PRIVATE SHARES (HTTP)
+#
+
 # backend-mode "proxy" (default): share a backend web server URL that's reachable by this host; must begin with 'http://' or
 # 'https://'; must accept the HOST header of the proxy frontend. Check out backend mode "caddy" if you need more control.
 ZROK_TARGET=""                  # e.g., http://127.0.0.1:3000
@ -60,6 +64,26 @@ ZROK_BACKEND_MODE="proxy"
 # NOTE: basic auth and oauth are mutually exclusive
 ZROK_SHARE_OPTS=""

+#
+## BACKEND MODES THAT ONLY WORK WITH PRIVATE SHARES
+#
+
+#ZROK_BACKEND_MODE="tcpTunnel"
+#ZROK_TARGET="127.0.0.1:25565"
+
+#ZROK_BACKEND_MODE="udpTunnel"
+#ZROK_TARGET="127.0.0.1:53"
+
+# you must grant NET_ADMIN capability to the service to enable vpn mode, e.g., run these two commands:
+# sed -Ei 's/.*AmbientCapabilities=CAP_NET_ADMIN/AmbientCapabilities=CAP_NET_ADMIN/' /etc/systemd/system/zrok-share.service.d/override.conf
+# systemctl daemon-reload
+#ZROK_BACKEND_MODE="vpn"
+#ZROK_TARGET="172.16.0.1/12"
+
+# there is no target for socks mode because the share is only a dynamic exit for the proxy client
+#ZROK_BACKEND_MODE="socks"
+#ZROK_TARGET=""
+
 #
 ## ZROK FRONTEND 
 #
@ -88,5 +112,4 @@ ZROK_SHARE_OPTS=""
 #ZROK_FRONTENDS="public"

 # you MAY set to change the frontend mode: reserved-public (default), reserved-private, temp-public, temp-private 
-# WARNING: changes take effect the next time the frontend URL is reserved
 #ZROK_FRONTEND_MODE="reserved-public"
--- a/nfpm/zrok-share.service.override.conf
+++ b/nfpm/zrok-share.service.override.conf
@ -0,0 +1,10 @@
+[Service]
+
+#
+## extra permissions
+#
+
+# allow adding tun device and IP routes and iptables rules; required when ZROK_BACKEND_MODE=vpn
+# AmbientCapabilities=CAP_NET_ADMIN
+
+# you must run 'systemctl daemon-reload' after modifying this file